Whoah…. what a long title! I know, I know and I’m sorry. What I’m about to cover is something that I think most administrators might miss. I know it’s bit me before (I’m not ashamed to admit it).
Okay, let’s say you’ve just finished integrating a new SSO application to your EntraID list Enterprise Applications using SAML. You spent all that time working through custom claims and mappings.
IT WORKS! Huzzah!
—Fast Forward A Few Years—
Monday Morning: 9:00 AM
Product Owner: Our SSO Isn’t working, Azure is down.
Me: If Azure is down, you wouldn’t be able to log in to Teams to tell me Azure is down.
Product Owner: Well something broke and we didn’t do anything. None of our users can log in and it’s telling them a certificate has expired.
As an admin / engineer, you check the sign-in logs, the audit logs, the service portal, etc. Everything is normal and healthy. You’re scratching your head as to where the certificate error is at. Must be on Service Provider side, they didn’t update their SSL Bindings…… WELP… turns out it was on you.
Remember some years ago when you setup that SSO App using your administrative account. You know, the account that has all the segmented privileged but no email attached to it. Turns out Entra tried to send you a notification before your SAML Signing Certificate expired, but you didn’t get it because that email address doesn’t exist. By default, when you first setup an SAML SSO Application in Entra, the username that created the Enterprise Application (selecting SAML as the SSO Method) will be recorded as the Notification Email Address.
I’d be willing to bet that you missed that when you clicked “Save” and began your testing, never to think of it again. Or maybe it was created by an admin who left the company and didn’t pay attention during their setup. Or – Insert Reasonable Scenario Here-….
Whatever the case may be, here’s an elegant way to solve this issue for All of your SAML Based Enterprise Applications. The following PowerShell script will pull all of the Enterprise Applications belonging to your Organization (weeding out Microsoft Applications or Multi-Tenant Applications), and set the notification email to an email or distribution group of your choosing. You can choose to run this script manually on a Monthly / Quarterly Basis or set it up to run with Automation (like an Azure Automation account with Managed Identity).
Notes:
- I’m making an assumption in this script that you are using the Microsoft Generated SAML Signing Certificate and not uploading your own custom certificate. (CN=Microsoft Azure….)
- You will also need at minimum the Application Administrator Role Activated in Azure or, in the case of an App Registration / Managed Identity, Application.ReadWrite.All
- You’ll notice I left a reference so $samlApplications in the comments. When I originally set out to develop this script, I found an attribute on ServicePrincipals that indicated with the SingleSign Method was SAML. Upon my first few test runs, I started finding that this field isn’t always populated. I thought perhaps this was because of the creation date on some of the apps and the field didn’t exist. I couldn’t seem to find a correlation so I went a different route which you see below. Let me know if the comments if you can figure out the mystery.
#Reserved for Function Declarations
#Main Execution
#Connect to the Tenant
#Connect-mggraph -identity
#Grabbing the Organization Information to extract TenantID
$tenantInformation=Get-MgOrganization
#Extracting TenantID to be used to filter out Apps Owned by your tenant and not MultiOrg Owned (MSFT and other vendors)
$tenantId = $tenantInformation.Id.tostring()
#Creating the body parameters to update Notifications Email Address
$email = "[email protected]"
$ServicePrincipalUpdate =@{
"notificationEmailAddresses"=$email
}
#Get All the Enterprise Applications (Filtered by SAML as the SSO Method)
#$samlApplications = Get-MgServicePrincipal -Filter "PreferredSingleSignOnMode eq 'saml'"
#Get All the Enterprise Applications that are not Microsoft or Externally Owned
$MyTenantApplications = Get-MgServicePrincipal -All | Where-Object {$_.AppOwnerOrganizationId -eq $tenantId}
#Loop through the SSO SAML Applications
foreach ($application in $MyTenantApplications)
{
#Update the Email Address for notifications only if the email doesn't match
if ($application.PasswordCredentials.DisplayName-eq"CN=Microsoft Azure Federated SSO Certificate")
{
if ($application.NotificationEmailAddresses-notcontains$email)
{
Write-Output-InputObject "Updating The Following Application Notification Email: $($Application.AppDisplayName)"
#You will need to reference to the Object ID - or just ID of the App.
Update-MgServicePrincipal-ServicePrincipalId $application.Id-BodyParameter $ServicePrincipalUpdate
}
else
{
Write-Output-InputObject "$($application.DisplayName) is set to notify: $email"
}
}
else
{
Write-Output-InputObject "This Application is not SAML based: $($application.DisplayName)"
}
}
#Disconnect-MgGraph